CVE-2011-2930 — SQL Injection in Project Activerecord

CWE-89 — SQL Injection7 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 23.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord Rubyonrails Ruby ON Rails

Timeline

PublishedAug 29

Latest updateOct 24

Description

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶RubyGemsactiverecord_project/activerecord2.0.0 — 2.3.13+2

▶Debianrubyonrails/rails< 2.3.14+3

▶NVDrubyonrails/rails29 versions+28

▶NVDrubyonrails/ruby_on_rails3.0.4

Patches

Patch: groups.google.com ↗Patch: weblog.rubyonrails.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

activerecord vulnerable to SQL Injection↗2017-10-24

▶

GHSA

activerecord vulnerable to SQL Injection↗2017-10-24

▶

OSV

CVE-2011-2930: Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapte↗2011-08-29

▶

CVEList

CVE-2011-2930: Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapte↗2011-08-29

▶

📋Vendor Advisories

Debian

CVE-2011-2930: rails - Multiple SQL injection vulnerabilities in the quote_table_name method in the Act...↗2011

▶

💬Community

Bugzilla

CVE-2011-2930 rubygem-activerecord: SQL injection vulnerability in quote_table_name (Ruby on Rails)↗2011-08-17

▶